Session Fixation
Monthly
Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.
Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.
Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.
Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.
Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticated attackers to gain administrative access by simply setting a session cookie value to a predictable string such as 'admin'. The CVSS 9.8 rating reflects trivial network exploitability with full confidentiality, integrity, and availability impact, and a public proof-of-concept exists in the referenced GitHub repository, though the issue is not currently listed in CISA KEV.
Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.
Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).
Session fixation vulnerability in docuFORM Managed Print Service Client 11.11c allows unauthenticated remote attackers to hijack user sessions via the login page, enabling unauthorized access to application functions and potential disclosure of sensitive print job data. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 5.4. No public exploit code or active exploitation has been confirmed at the time of analysis.
Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.
Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).
Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.
Session fixation via remote phishing in OpenBao before 2.5.2 lets an unauthenticated attacker hijack a victim's identity when a JWT/OIDC auth role is configured with callback_mode=direct. Because direct mode skips any confirmation prompt and calls back straight to the API, an attacker initiates the auth flow, lures a victim into completing the login through a crafted URL, then polls the API to collect the OpenBao token that gets issued under the victim's identity. There is no public exploit identified at time of analysis, EPSS is low (0.06%, 19th percentile), and it is not in CISA KEV, though SSVC rates the technical impact as total.
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]
Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.
SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows unauthenticated remote attackers to hijack user sessions. Public exploit code exists for this vulnerability, which enables attackers to impersonate legitimate users and gain unauthorized access to the system. No patch is currently available.
Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]
Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. [CVSS 5.7 MEDIUM]
An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. No vendor patch available.
Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Flag Forge is a Capture The Flag (CTF) platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was detected in givanz Vvveb 1.0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.
CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.5% and no vendor patch available.
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
authentik is an open-source identity provider. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HCL iAutomate is affected by a session fixation vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.
A UAA configured with multiple identity zones, does not properly validate session information across those zones. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Mailcow through 2024-11b has a session fixation vulnerability in the web panel. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.
HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.0.0 before 1.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Password Pusher is an open source application to communicate sensitive information over the web. Rated medium severity (CVSS 5.7). No vendor patch available.
An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Umbraco is a free and open source .NET content management system. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability classified as problematic has been found in PHPGurukul Boat Booking System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.0.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable. No vendor patch available.
The application does not change the session token when using the login or logout functionality. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Contao is an open source content management system. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.
Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. Public exploit code available.
A vulnerability was found in Bdtask Wholesale Inventory Management System up to 20240311. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged. Rated high severity (CVSS 7.8). No vendor patch available.
Graylog is a free and open log management platform. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered on GL.iNet devices before version 4.5.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic has been found in SourceCodester Engineers Online Portal 1.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation vulnerability in South River Technologies' Titan MFT and Titan SFTP servers on Linux and Windows allows an attacker to bypass the server's authentication if they can trick an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.
Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.
Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.
Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.
Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticated attackers to gain administrative access by simply setting a session cookie value to a predictable string such as 'admin'. The CVSS 9.8 rating reflects trivial network exploitability with full confidentiality, integrity, and availability impact, and a public proof-of-concept exists in the referenced GitHub repository, though the issue is not currently listed in CISA KEV.
Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.
Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).
Session fixation vulnerability in docuFORM Managed Print Service Client 11.11c allows unauthenticated remote attackers to hijack user sessions via the login page, enabling unauthorized access to application functions and potential disclosure of sensitive print job data. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 5.4. No public exploit code or active exploitation has been confirmed at the time of analysis.
Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.
Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).
Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.
Session fixation via remote phishing in OpenBao before 2.5.2 lets an unauthenticated attacker hijack a victim's identity when a JWT/OIDC auth role is configured with callback_mode=direct. Because direct mode skips any confirmation prompt and calls back straight to the API, an attacker initiates the auth flow, lures a victim into completing the login through a crafted URL, then polls the API to collect the OpenBao token that gets issued under the victim's identity. There is no public exploit identified at time of analysis, EPSS is low (0.06%, 19th percentile), and it is not in CISA KEV, though SSVC rates the technical impact as total.
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]
Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.
SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows unauthenticated remote attackers to hijack user sessions. Public exploit code exists for this vulnerability, which enables attackers to impersonate legitimate users and gain unauthorized access to the system. No patch is currently available.
Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]
Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. [CVSS 5.7 MEDIUM]
An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. No vendor patch available.
Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Flag Forge is a Capture The Flag (CTF) platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was detected in givanz Vvveb 1.0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.
CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.5% and no vendor patch available.
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
authentik is an open-source identity provider. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HCL iAutomate is affected by a session fixation vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.
A UAA configured with multiple identity zones, does not properly validate session information across those zones. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Mailcow through 2024-11b has a session fixation vulnerability in the web panel. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.
HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.0.0 before 1.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Password Pusher is an open source application to communicate sensitive information over the web. Rated medium severity (CVSS 5.7). No vendor patch available.
An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Umbraco is a free and open source .NET content management system. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability classified as problematic has been found in PHPGurukul Boat Booking System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.0.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable. No vendor patch available.
The application does not change the session token when using the login or logout functionality. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Contao is an open source content management system. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.
Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. Public exploit code available.
A vulnerability was found in Bdtask Wholesale Inventory Management System up to 20240311. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged. Rated high severity (CVSS 7.8). No vendor patch available.
Graylog is a free and open log management platform. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered on GL.iNet devices before version 4.5.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic has been found in SourceCodester Engineers Online Portal 1.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation vulnerability in South River Technologies' Titan MFT and Titan SFTP servers on Linux and Windows allows an attacker to bypass the server's authentication if they can trick an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.